7.5 - USN-59-1

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

mailman

The problem can be corrected by upgrading the affected package to version 2.1.5-1ubuntu2.2. In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error page and executed in the context of this page.

Juha-Matti Tapio discovered an information disclosure in the private rosters management. Everybody could check whether a specified email address was subscribed to a private mailing list by looking at the error message. This bug was Ubuntu/Debian specific.

Important note:

There is currently another known vulnerability: when an user subscribes to a mailing list without choosing a password, mailman automatically generates one. However, there are only about 5 million different possible passwords which allows brute force attacks.

A different password generation algorithm already exists, but is currently too immature to be put into a stable release security update. Therefore it is advisable to always explicitly choose a password for subscriptions, at least until this gets fixed in Warty Warthog.

See https://bugzilla.ubuntu.com/4892 for details.